CompTIA Security SY0-601 Domain 5 Governance, Risk, and Compliance

1. CompTIA Security+ SY0-601 Domain 5: Governance, Risk, and Compliance www.infosectrain.com | sales@infosectrain.com

2. www.infosectrain.com | sales@infosectrain.com

3. Security+ SY0-601 Domains There are 5 domains in the new version of security+ SY0-601. www.infosectrain.com | sales@infosectrain.com

4. Domain 1.0: Attacks, Threats, and Vulnerabilities (24%) • Domain 2.0: Architecture and Design (21%) • Domain 3.0: Implementation (25%) • Domain 4.0: Operations and Incident Response (16%) • Domain 5.0: Governance, Risk, and Compliance (14%) • In this blog, we discuss domain 5.0 Governance, Risk, and Compliance. www.infosectrain.com | sales@infosectrain.com

5. Governance, Risk, and Compliance In the earlier version of Security+ (SY0-501) only risk management was covered in domain 5 but in the latest version of Security+ (SY0-601) domain 5 we have an important concept: Governance, Risk, and Compliance. GRC or (Governance, Risk, and Compliance) is the process of aligning and integrating IT and business objectives to verify that risks are successfully managed while maintaining efficient business operations and adherence to all applicable industry laws. This domain covers 14% of weightage in the exam. The topics covered in this domain are listed below: Compare and contrast various types of controls Explain the importance of applicable regulations, standards, or frameworks that impact the organizational security posture Explain the importance of policies to organizational security Summarize risk management processes and concepts Explain privacy and sensitive data concepts in relation to security www.infosectrain.com | sales@infosectrain.com

6. 1. Compare and contrast various types of controlsCandidates’ ability to analyze and compare various security controls is tested in this part. In this subdomain, we will understand the Category of controls: Managerial control, Operational control, Technical control. We will get familiar with types of risk controls: Preventive, Detective, Corrective, Deterrent, Compensating, Physical. www.infosectrain.com | sales@infosectrain.com

7. 2. Explain the importance of applicable regulations, standards, or frameworks that impact the organizational security postureIn this subdomain, we will learn about various Regulations, Standards, and Legislation. Inside this part, we will cover General Data Protection Regulation (GDPR), National, Territory, State laws, Payment Card Industry Data Security Standard (PCI DSS). • This part explains to us the key frameworks of security. Inside this part we will cover the  following topics: • Center for Internet Security (CIS) • National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)/ Cybersecurity Framework (CSF) • International Organization for Standardization (ISO) 27001/27002/27701/31000 • SSAE SOC 2 Type I/II • Cloud security alliance • Explanation of the Cloud control matrix www.infosectrain.com | sales@infosectrain.com

8. In this part, we also learn Benchmarks/secure configuration guides, Platform /vendor-specific guides, Web server, OS, Application server, Network infrastructure devices. 3. Explain the importance of policies to organizational securityIn this subdomain, you will understand Personnel management control, Third-party risk management, Data, Credentials policies, Organization policies, and Diversity of training techniques. In personnel management control we cover various topics like Acceptable use policy, Job rotation, Mandatory vacation, Separation of duties, Least privilege, Clean desk space, Background checks, a Non-disclosure agreement (NDA), Social media analysis, Onboarding, Offboarding, User training, Gamification, Capture the flag, Phishing campaigns, Phishing simulations, Computer-based training (CBT). Third-party risk management focuses on various types of agreements, SLA (Service level agreement), and BPA (Business partnership agreement). This part also covers topics like Supply chain, Memorandum of understanding (MOU), End of service life (EOSL). www.infosectrain.com | sales@infosectrain.com

9. 4. Summarize risk management processes and conceptsMany companies have proper risk management policies and processes in place to fulfill regulatory obligations and keep their operations safe. In this subdomain, we will summarize the concepts of risk management. We will understand the types of Risk, such as External risk, Internal risk, Legacy systems, Multiparty, IP theft, Software compliance/licensing. The strategies of Risk management, Acceptance, Avoidance, Transference, and Cybersecurity insurance. We will also learn to define Risk analysis, Risk register, Risk control assessment, Single-Loss Expectancy (SLE), Annualized Loss Expectancy (ALE), Annualized Rate of Occurrence (ARO). Also, understand the concept of Business impact analysis (BIA) like Recovery Time Objective (RTO), Recovery Point Objective (RPO), Mean Time To Repair (MTTR) and Mean Time Between Failures (MTBF), Disaster Recovery Plan (DRP), Mission essential functions, and Identification of critical systems. www.infosectrain.com | sales@infosectrain.com

10. 5. Explain privacy and sensitive data concepts in relation to securityIn this subdomain, we will understand the concept of Organizational consequences of privacy and data breaches, Reputation damage, Identity theft, Fines, and IP theft. We also get an in depth understanding of the Data types and classifications of data types Public, Private, Sensitive, Confidential, Critical, Proprietary. We understand Privacy-enhancing technologies like Data minimization, Data masking, Tokenization, Anonymization, Pseudo-anonymization. We get familiar with Roles and responsibilities, Data owners, Data controller, Data custodian/steward, Data Protection Officer (DPO). We will also cover the information life cycle, Impact assessment, Terms of the agreement, and Privacy notice. www.infosectrain.com | sales@infosectrain.com

11. Learn Security+ With Us InfosecTrain is a leading provider of IT security training and consulting organization, focusing on a wide range of IT security training. The training sessions will be delivered by highly qualified and professional trainers with years of industry experience whom you can easily interact with and solve your doubts anytime. If you are interested and looking for live online training, InfosecTrain provides the best online Security+ certification training. You can check and enroll in our CompTIA Security+ Online Certification Training to prepare for the certification exam. www.infosectrain.com | sales@infosectrain.com

12. About InfosecTrain • Established in 2016, we are one of the finest Security and Technology Training and Consulting company • Wide range of professional training programs, certifications & consulting services in the IT and Cyber Security domain • High-quality technical services, certifications or customized training programs curated with professionals of over 15 years of combined experience in the domain www.infosectrain.com | sales@infosectrain.com

13. Our Endorsements www.infosectrain.com | sales@infosectrain.com

14. Why InfosecTrain Global Learning Partners Access to the recorded sessions Certified and Experienced Instructors Flexible modes of Training Post training completion Tailor Made Training www.infosectrain.com | sales@infosectrain.com

15. Our Trusted Clients www.infosectrain.com | sales@infosectrain.com

17. Contact us Get your workforce reskilled by our certified and experienced instructors! IND: 1800-843-7890 (Toll Free) / US: +1 657-221-1127 / UK : +44 7451 208413 sales@infosectrain.com www.infosectrain.com